Sender Reputation and Email Security – Part 5: DNS-based Authentication of Named Entities (DANE)
Author: Stefan FeistTechnical Writerhttps://www.linkedin.com/in/stefan-feist-23b257b0/ – Connect on LinkedIn
Securing the internet as a whole and electronic communication in particular is still based to a large extent on the use of so-called certificates. One example of this is transport encryption through Transport Layer Security (TLS): With the help of corresponding TLS certificates, web or email servers can be authenticated and the data exchange between them can be encrypted. This encryption ensures that data is transmitted in a tap-proof manner – provided that the certificates used are authenticated beyond doubt.
In the fifth part of our series on sender reputation, we explain how you can use DNS-based Authentication of Named Entities (DANE) to ensure the authenticity of certificates and protect your email traffic from access by criminals.
Potential for misuse even with TLS encryption
If you access the server www.nospamproxy.de, for example, this name must also appear in the TLS certificate. If, in addition, the certificate was issued by a trustworthy certification authority, you can be sure that you are connected to the right server. Unfortunately, it is precisely at this point that there is a certain potential for misuse.
Specifically, an attacker could redirect web or email traffic to a system he or she controls and also use a certificate with the corresponding name. For web servers, this danger is not very high any more because, on the one hand, browsers offer good protection against untrustworthy or even false certificates and, on the other hand, the trustworthy certification authorities do a good job.
However, this does not apply to server-to-server communication in the email sector. Certificates are hardly ever checked. It is not uncommon to even see certificates that have been expired for years in productive use. Thus, emails could be redirected to a compromised system via an encrypted channel.
What is DNS-based Authentication of Named Entities (DANE)?
DANE is a DNS-based network protocol that enables the cryptographic linking of certificates with DNS names when using TLS. With TLS, connections to a server are encrypted using TLS certificates, but the certificates themselves are not (securely) verified.
This is because a browser or email programme cannot recognise whether
the retrieved certificate for the domain was actually created for the domain owner or
a criminal has used DNS spoofing to impersonate the recipient and the email is redirected.
Why TLS is not secure without DANE
When you send an email with your email programme, it is delivered to the sending email server and sent to the receiving server. To ensure that the communication between these two servers is protected, you use TLS, i.e. transport encryption.
To find out whether the receiving server supports encryption using TLS and thus offers encryption, the sending server sends the STARTTLS command as plain text. This initiates the encryption. At this point, criminals have various possibilities to obtain the data contained in the email:
With so-called DNS spoofing, the attackers create a false IP address where the email is sent to. More precisely, fake DNS records are stored in the DNS resolver’s cache so that the name server returns a false IP address. As a result, the traffic is redirected to the attackers’ computer and then forwarded to the actual recipient after the data has been read, so that the attack remains undetected.
With the help of fake TLS certificates, this connection is encrypted which, however, makes no difference in this case. The email ends up in the hands of the attackers and can be decrypted by them.
In this type of attack, all connections from a specific email server are intercepted, for example by tapping into an internet hub. Here, too, the connection is encrypted with the help of a forged certificate and the respective email is then forwarded to the actual recipient.
This form of attack works similarly to a man-in-the-middle attack, but the attacker claims not to support encryption. Since the vast majority of email servers send the email anyway, a certificate is not even required here. The email is transmitted unencrypted and later forwarded by the criminal to the actual recipient.
Emails are sent anyway if there is no TLS support on the recipient’s side, because some experts have agreed on the lowest common denominator for SMTP, so to speak, and act according to the motto “some encryption is better than no encryption”. With STARTTLS it is even more critical because it also allows the option “do not encrypt at all”.
This is different with TLS-based encryption of websites (HTTPS); in case of doubt, a window then opens that the user has to click away. However, email administrators hardly have the capacity to make this decision for hundreds or thousands of emails daily.
Problems when using TLS certificates
How is it that criminals can obtain and use forged certificates? The answer to this question lies in the way TLS certificates are created and authenticated:
Any Certificate Authority (CA) in the world can issue certificates for any domain. This means that even illegitimate certificates may be considered legitimate by email servers simply because one of the countless – possibly untrustworthy – CAs has issued a certificate for a domain. Of course, commercial CAs are subject to very strict guidelines that specify exactly under which conditions a certificate may be issued for a domain, a host name or an email address. In the past, however, there have been repeated attempts by criminals to forge certificates for well-known domains such as google.com or microsoft.com.
Surveillance by governments
Governments can also operate CAs and issue TLS certificates. This enables these governments to monitor email traffic or website content and use. This is especially problematic in countries that have a more relaxed approach to human rights or civil liberties: It is possible, after all, for investigating authorities and secret services to obtain a certificate for a specific, particularly interesting name.
When such certificates are created, no effective authentication takes place. It may not even be checked whether the domain really belongs to the applicant, but only whether the email address provided works.
Certificates from certification authorities cost money. This deters many from using TLS. Self-signed certificates are also not an alternative, as they lack trust due to the lack of validation options. Criminals can also issue them to themselves.
It becomes clear that the assessment of the validity of TLS certificates depends on the trustworthiness of the issuing body. This is where DANE comes into play, which offers a simple and secure way to validate certificates and thus authenticate communication partners.
Authenticating TLS certificates with DANE
With DANE, certificates can be linked to entries in the domain name system (DNS) of the domain owner. The respective DNS communication is secured via DNSSEC so that it is ensured that the transmitted DNS responses can be verified. Without such protection, criminals could also forge these responses.
To use DANE, a TLSA record is stored in the DNS zone of the respective domain. This record contains a hash value that was formed from the certificate used, as well as further information on the interpretation of the TLSA record:
1: Certificate usage
PKIX-TA: Certificate Authority Constraint – Validation of the certificate by a defined Trust Anchor (trustworthy PKIX certification authority). The trust chain of the server certificate must be traced back to this trust anchor and pass the certificate check.
PKIX-EE: Service Certificate Constraint – Accept (trust) the server certificate referenced in the TLSA record if it was issued by a trusted PKIX certification authority. The certificate and trust chain must pass the trust verification.
DANE-TA: Trust Anchor Assertion – Use of a defined trust anchor for the validation of the certificate. It does not have to be a PKIX certification authority that is trustworthy for the client. Trace the trust chain of the server certificate back to this trust anchor.
DANE-EE: Domain Issued Certificate – Accept (trust) the certificate referenced in the TLSA record; no trust hierarchy check.
The full certificate is used.
Only the public key is used.
3: Matching type
Full certificate, no hash; generates very long DNS responses.
SHA-256 hash value
SHA-512 hash value
4: Certificate association
The hash value of the certificate.
Why DANE makes TLS encryption better
The mere fact that a TLSA record is present in the recipient’s DNS has considerable information value: it shows that the receiving server can and wants to encrypt. Attacks such as the downgrade attack mentioned above are thus ruled out, because the sending server accesses the DNS before sending the email and reads out the TLSA entry.
Even more crucial is that the hash value published in the DNS authenticates the respective certificate. If an attacker tries to redirect the email using a forged certificate, this cannot succeed: The sending server recognises that the hash value does not match the certificate and refuses to deliver the email.
Since the authentication of the certificates is realised completely via the TLSA entry, self-signed certificates can also be used for secure TLS-based encryption – signed certificates from official certification authorities are not mandatory. With Let’s Encrypt, there are now also free alternatives to fee-based offerings.
The use of DNSSEC is a mandatory requirement for securing web and email traffic using DANE. However, administrators often shy away from this effort. In recent years, however, the number of DNS providers with DNSSEC support has increased, so that this is no longer a real obstacle. Thus, DANE not only helps to improve email and web server security, but additionally increases security for the entire DNS traffic.